Changeset d8ae2a0 in mod_gnutls for docs/mod_gnutls_manual.mdwn

Mar 19, 2015, 9:30:18 AM (4 years ago)
Thomas Klute <thomas2.klute@…>
debian/master, debian/stretch-backports, jessie-backports, master, upstream

Documentation for proxy TLS configuration directives

Add documentation for the new configuration directives introduced in
commit 0de1839d444092a3d46ebae49572c54b1982f629, and add the generated
documentation files to .gitignore.

1 edited


  • docs/mod_gnutls_manual.mdwn

    r91ccb87 rd8ae2a0  
    395395With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
    396396environment variables to the CGI process as `mod_ssl`.
     402Enable TLS proxy connections for this virtual host
     404    SSLProxyEngine [on|off]
     406Default: *off*\
     407Context: virtual host
     409This directive enables support for TLS proxy connections for a virtual
     415Set to the PEM Encoded Certificate Authority Certificate
     417    GnuTLSProxyCAFile FILEPATH
     419Default: *none*\
     420Context: server config, virtual host
     422Takes an absolute or relative path to a PEM Encoded Certificate to use
     423as a Certificate Authority when verifying certificates provided by
     424proxy back end servers. This file may contain a list of trusted
     425authorities. If not set, verification of TLS back end servers will
     426always fail due to lack of a trusted CA.
     431Set to the PEM Encoded Client Certificate
     433    GnuTLSProxyCertificateFile FILEPATH
     435Default: *none*\
     436Context: server config, virtual host
     438Takes an absolute or relative path to a PEM-encoded X.509 certificate
     439to use as this Server's End Entity (EE) client certificate for TLS
     440client authentication in proxy TLS connections. If you need to supply
     441certificates for intermediate Certificate Authorities (iCAs), they
     442should be listed in sequence in the file, from EE to the iCA closest
     443to the root CA. Optionally, you can also include the root CA's
     444certificate as the last certificate in the list.
     446If not set, TLS client authentication will be disabled for TLS proxy
     447connections. If set, `GnuTLSProxyKeyFile` must be set as well to
     448provide the matching private key.
     453Set to the PEM Encoded Private Key
     455    GnuTLSProxyKeyFile FILEPATH
     457Default: *none*\
     458Context: server config, virtual host
     460Takes an absolute or relative path to the Private Key matching the
     461certificate configured using the `GnuTLSProxyCertificateFile`
     462directive. This key cannot currently be password protected.
     464**Security Warning:**\
     465This private key must be protected. It is read while Apache is still
     466running as root, and does not need to be readable by the nobody or
     467apache user.
    398469* * * * *
Note: See TracChangeset for help on using the changeset viewer.